Problem: It is super easy to bypass K9 Web Protection by renaming a file in the Windows\System32 directory in Windows 7.
Question: How do I prevent an admin user from renaming said file in said directory, thereby bypassing K9 Web Protection? OR, if I can't do that, how do I enable a standard user to install programs.
Answer
I actually can't think of a reliable way to do this as stated I'm afraid.
Perhaps someone with better Windows security knowledge knows of a way but as far as I know, a user with Admin rights on a non-Domain (stand alone) computer can do anything they want to if they know what they are doing.
You could try to fool Windows into adding the file into the list used by the Windows File Protection feature. But I've no real idea if this is workable. A determined person would still be able to delete the file if they really wanted to.
With regard to the second part of the question: you can't I'm afraid. Not on a stand alone PC.
If you really need protection on one or more computers, you need to make them part of a Windows Domain. Windows Domain's are able to enforce security policies of many kinds. This includes required software & services to be running, files and folders that are protected, limited administration rights and so on. To do this, you need to run at least one physical or virtual server and there are license costs too.
For your purposes though, a much better option that avoids running up an entire Windows domain would be to create a "transparent proxy". Basically, you set your router or firewall to only forward traffic to the Internet if it goes via your proxy. You run your filters on the proxy. Anyone who tries to bypass the proxy doesn't connect to anything useful. Set up DHCP (either via your router or from the proxy) so that PC's connecting to your network automatically have a "default gateway" pointed at the proxy and possibly filter all DNS requests through it as well. Of course, you still need a spare PC to do this and it may need to be a reasonable one if the traffic to the Internet is heavy.
UPDATE: Having read the other referenced thread re transparent proxying, I can see that your other problem was due to the lack of SSL support in TinyProxy. So don't use that if you can. If you have a PC that you can configure as a proxy, that would be best though to do it best, you need two ethernet ports. Even an old laptop would do the job, add a PCMCIA or USB ethernet adaptor as the second card. On a desktop, it would be easy, many desktops actually have to ethernet ports already. Have a search on Google on how to set up SQUID on Linux or even Windows (if you must) as a transparent proxy. With that set up, you will have no problem proxying and filtering SSL connections.
No comments:
Post a Comment